Tuesday, June 30, 2009

Finally! The banking industry's 6 year campaign to overturn California's landmark financial privacy law is over...dead...kaput...or at least, so says the Supreme Court! Of course, I want to be measured in my response, so let me just reiterate what a friend of mine wrote me, "Woooohoooo!!!"

I've written about this extensively in recent months, but I'll still give a brief review: For three years the Consumer Federation of Californiaand other privacy advocates worked to enact a law that would give consumers the right to stop banks and other financial institutions from sharing their personal information - including with "affiliates" (which can number in the thousands).

This was achieved when Senate Bill 1 of 2003 (Speier) became law and California established the nation's strongest financial privacy protections. As soon as SB 1 was signed, the financial institutions ran to court to overturn it, arguing that other federal banking laws prevented state regulation of banks and brokerages.

In September 2008, the 9th Circuit declared the right of California consumers to stop disclosure of their personal information among affiliated financial institutions, except where such information was a consumer report. It was soon after that the Supreme Court became poised to take the Banking Industry lobby's appeal and possibly overturn portions of one of the most important victories for privacy advocates in recent memory.

As I wrote at the time, the Supreme Court could of course ignore the Administration’s recommendation and still take the case, though this is unlikely. So, for the time being, Californians right to control their personal, private financial data is secure. And now its official! As reported by the San Francisco Chronicle, the Supreme Court has rejected the banks' appeal.

Without comment, the U.S. Supreme Court denied a hearing to the American Bankers Association, which had argued that the 2004 financial privacy law conflicted with a federal law setting nationwide standards for regulating consumer credit reports. The California privacy law, the broadest of its kind in the nation, allows customers to veto a bank's attempt to share certain types of information with affiliated companies. Some of the largest banks have thousands of affiliates in fields far removed from banking....The court said federal law prohibits states from limiting distribution of a bank's consumer reports - which prospective lenders, insurers and even employers can examine - but does not prevent other types of regulation. That means consumers can stop banks from sharing such information as their credit card statements, which a bank-affiliated retailer might use to target advertising based on someone's buying patterns.

Consumer rights groups argued that customers needed those protections because of a 1999 federal law that repealed a ban on bank ownership of insurance companies, brokerage houses and other financial institutions.

"These new financial supermarkets could easily create dossiers on our buying, earning, borrowing and investment histories ... and sell or share this information for purposes such as marketing or profiling," the organizations said in a letter to the Obama administration in March, urging support for the California law.

The Justice Department responded with a filing May 29 that argued that the state law conflicted with federal regulation and should have been overturned - but that the Supreme Court should decline to review it because it wasn't imposing hardships on banks. President George W. Bush's administration had asked lower courts to strike down the California law.

Let me end with a word of caution. The Administration’s brief still gives us more than ample reason to remain concerned and vigilant. Most assuredly, we won a big victory with the Court's decision not to take this case. But as I said back in my critique of the Administration's brief, "...no “blow was struck” for the individuals fundamental, constitutional right to privacy. Or more specific to this case, no mention was even made in the Administration's brief whether they agree with another core principle we believe in: California's right to protect the private financial information of its citizens outweighs the corporation’s right to profit off it.

I suppose - if feeling exceptionally optimistic - I could conclude that perhaps the administration was signaling to the banks that if they support a national standard, they could avoid their worst nightmare of all: facing 50 different versions of data privacy rules. I've read this interpretation, though the devil would be in the details.

It goes without saying that we would support a uniform, national standard on the issue of financial privacy that mimics California's SB 1 (or something close to it). But if Obama is signaling support for a national standard that is substantially weaker than SB 1, then such a move would be no victory for privacy. Only time will tell...

Monday, June 29, 2009

I'm going to keep this short and sweet today. For a detailed analysis of the recently introduced “Providing for Additional Security in States’ Identification Act” (PASS ID), check out my post from Friday.

I'm afraid to say - as I stated on Friday - even as PASS ID represents a break from, and an improvement of REAL ID, it simply isn't an acceptable alternative to those that cherish privacy and are concerned with the ever expanding power of government in areas related to "national security". The fact is, PASS ID continues the one key component of REAL ID that privacy advocates were most opposed to: the creation of a national identification card.

Napolitano, as governor of Arizona, had a mixed record on Real ID. In June 2008, she signed legislation passed by the Arizona State Legislature to prohibit the state from complying with Real ID. However, in August 2007, Napolitano was one of the first governors to reach an agreement with the Homeland Security Department to produce an enhanced driver’s license that would also serve as a substitute for a U.S. passport at the U.S.-Mexico border. These licenses, which are now being produced in Washington State, New York and Vermont, are designed to comply with Real ID. The National Governors Association has praised Pass ID, saying it would reduce costs, offer greater flexibility to states, eliminate the need for costly new data systems and strengthen privacy protections. However, the American Civil Liberties Union said risks to privacy are still a major concern under Pass ID.

I'll be covering the progress of this legislation right here...

Electronic Frontier Foundation Files Suit Against Justice Dept.

Where would we be without organizations like the ACLU and EFF??? Seriously! In yet another laudable effort to take on, and expose the most entrenched corporate and government powers on behalf of individual privacy, EFF has filed a lawsuit against the Justice Department demanding the public release of the surveillance guidelines that govern investigations of Americans by the FBI.

The protocols took effect in December 2008 and detail the bureau's procedures and standards for implementing the attorney general's guidelines on approved surveillance strategies. The Electronic Frontier Foundation's complaint comes after DOJ failed to respond to a Freedom of Information Act request for a complete copy of the document. FBI General Counsel Valerie Caproni has acknowledged that "the expansion of techniques available [to the bureau] has raised privacy and civil liberties concerns."

Investigations can include the electronic collection of information from online sources and computer databases, as well as the use of grand jury subpoenas to obtain telephone and e-mail subscriber information, EFF said in a press release. Other recent policy changes allow the FBI to engage in free-ranging investigation of Internet sites, libraries, and religious institutions, the group said. "Americans have the right to know the basic surveillance policies used by federal investigators and how their privacy is -- or is not -- being protected," EFF senior counsel David Sobel said. Read EFF's full complaint to the U.S. District Court for the District of Columbia here.As with PASS ID, I will follow this case here, and provide more details in coming posts.

Friday, June 26, 2009

As I always do when discussing REAL ID,before I get to the articles I want to highlight, I like to give a quick refresher course on the Act and the state revolt that it inspired:

The Real ID Act was approved by Congress - underhandedly as a rider - and then signed into law by President Bush in 2005 as part of the government's so called "war on terror".

At the time, few lawmakers even knew what they were voting for, or necessarily supported the concept to begin with. Since that time the law has evoked widespread criticism from privacy advocates and civil rights groups, which say it would create a de facto national identity card system that would be hard to manage and even harder to secure. The law requires states to issue new licenses which are supposed to screen potential terrorists and identify illegal immigrants.

Once the IDs and database are in place, their useswill inevitably expand to facilitate a wide range of surveillance activities. Remember, the Social Security number started innocuously enough, but it has become a prerequisite for a host of government services and been co-opted by private companies to create massive databases of personal information. A national ID poses similar dangers; for example, because "common machine-readable technology" will be required on every ID, the government and businesses will be able to easily read your private information off the cards in myriad contexts.

The States Rebel!

Since the law's enactment, at least 42 states have considered anti-Real ID legislation, and another 24 states have enacted anti-real ID bills or resolutions, and fourteen of those states have passed binding legislation prohibiting participation in the Real ID program. Five more states have already passed resolutions or statutes in 2009 - with Missouri likely becoming the next state to opt out of Real ID if its governor signs legislation currently before him.

Initially, States had until May of 2008 to implement Real ID, but the department extended that until Dec. 31, 2009. If they need more time and have met certain benchmarks, states can request an extension until May 11, 2011.

The Obama Administration has recently begun voicing its opposition to key components of REAL ID. This fact, combined with overwhelming state opposition, and the fast approaching deadline they face for implementation, has led to a renewed debate in the Senate as to whether it should be abolished altogether, or simply take a modified, more "mild" form, known as PASS ID?

Senator Daniel Akaka (D-HI) - seeking to reform the REAL ID Act - introduced the“Providing for Additional Security in States’ Identification Act” (PASS ID) last week with 5 co-sponsors, offering some important privacy protections, most notably, eliminating interconnected databases and repealing the requirement that states query other states or verify birth certificates with the originating agencies. The bad news is, PASS ID could ultimately become the basis for a National ID.

I would echo the comments made by the ACLU'S Chris Calabrese, Counsel of the ACLU Technology and Liberty Program:

“Senator Akaka is right in his efforts to eliminate a substantial number of the more problematic aspects of Real ID, including the creation of a national database of driver information and misuse of license information by the private sector...Any day now, we will have fully half of all states on record opposing Real ID. We agree with Secretary of Homeland Security Napolitano that the best solution to the Real ID Act is to repeal it.” With all this said, let me get to my two featured "articles" today. Joan Friedlan, focuses on the anti-immigrant aspect of PASS ID in a piece entitled "The Real ID Act Is an Unfixable Disaster...Why Tinkering with it Won't Help". In this clip, she points out some of the disturbing similarities shared by PASS ID and REAL ID, which include:

Make non-citizens prove lawful immigration status to get a license. Immigration law is complicated, contradictory and ever-changing, so it is not surprising that REAL ID left out some categories of lawfully present immigrants who should be eligible for a license—such as trafficking—victim applicants for non-immigrant visas or those protected under the Convention against Torture.

PASS ID attempts to cure some of these deficiencies, but at the same time gives DHSunreviewable discretion to add categories of lawfully present non-citizens, leaving open the possibility that this might be done in a discriminatory or irrational way. States will likely find a shifting list of eligible immigration statuses to be confusing and cumbersome.

Recognize that exceptional circumstances – e.g. Hurricane Katrina – can make it impossible for people to provide the required documents for a license. States can set up an “exceptions process” to deal with this. But states can’t do the same for immigration status, even if people lose their documents proving immigration status in the very same disaster.

Require a passport as the only foreign document that can be used to prove identity and date of birth for a driver’s license—even though other documents such as birth certificates and school records can be used in actually obtaining legal status.On a similar note, the ACLU has published a one page fact sheet that sums up quite nicely exactly why PASS ID is an inadequate fix for REAL ID. Here are a couple useful highlights:

PASS ID would impose the United States' first-ever national identity card system, which would violate privacy by helping to consolidate data and facilitate tracking. After a 5-year hiatus to allow for implementation, PASS ID will be required for boarding airplanes in the same manner as Real ID, and over time its use will almost certainly expand to cover other activities necessary to participate in society.

PASS ID mandates that all identity source documents be copied physically or digitally and retained as long as the license is valid. By creating troves of sensitive documents on millions of individuals, this provision will be a dream for identity thieves. In a provision that is actually worse than Real ID, PASS ID will allow insecure technology such as radio RFID chips to be used as part of PASS ID, despite the strong potential that technology holds for tracking of individuals' movements. While PASS ID makes some concessions for the security of domestic violence victims, it still requires victims to get approval from the state before they can shield their identity. Click here to read the fact sheet in full.

Again, I will defer to the ACLU on this, as I just couldn't agree more with the conclusion they reach on REAL ID, PASS ID, and what appears to be in the end, the government's continued efforts to march us, slowly but surely, towards a national identification card:

This legislation is entirely unnecessary because, thanks to the rebellion in the states, the Real ID Act is already dead...Rather than saving Americans from the Real ID legislation that they have rejected in such large numbers, PASS ID would actually rescue the core policies of Real ID at a time when it is about to die of its own misguided impracticality.

The problems inherent in Real ID cannot be solved by tinkering around the edges of the act. Instead, the entire unworkable system must be scrapped and replaced with a system that does not endanger Americans' privacy and civil liberties, such as a "negotiated rulemaking" process that brings together stakeholders to hash out wise and realistic improvements to driver's licenses (such a process was underway before Real ID shut it down). The PASS ID Act creates more problems than it solves, and it should not be viewed as a viable alternative to a true repeal of Real ID.

Perhaps the most important step Congress could take is to engage the American people in a real debate as to the value of a national ID. Remember, REAL ID was passed without that debate, and with fear as the trump card, and slipped deeply into a spending bill that funded the war and tsunami relief.

If the American people and their representatives agree that creation of some form of national ID makes sense, the government can then take steps to implement it in a way that is fair, reasonable and secure. But if we decide that people should not need papers to travel freely within the borders of their own country, the issue of creating and securing state databases of personally identifiable information becomes moot.

In the meantime, I'm afraid to say, that even as we are taking steps away from adopting the REAL ID concept as first proposed, we continue (with PASS ID anyway) moving towards something nearly as unnacceptable: a national identification card. Stay tuned...

Wednesday, June 24, 2009

I want to expand on my post from yesterdayregarding Deep Packet Inspection (DPI) technology, Iran and China's usage of it to monitor its citizens and stifle dissent, American and European company's development and sale of this freedom crushing technology to those nations, the threat that it poses to consumer privacy (and the Internet itself) in OUR country, and how it all ties back to our own little Constitutional crisis known as warrantless wiretapping (read my post from last week on the latest revelations on that subject).

DPI technology is capable of tracking Internet communications in real time, monitoring the content, and deciding which messages or applications will get through the fastest.

Further, the Iranians appear to be using DPI"to not only block communication but to monitor it to gather information about individuals, as well as alter it for disinformation purposes." And, the Chinese government is believed to be using it to implement its "Great Firewall," "widely considered the most advanced and extensive censoring in the world" -- an "arrangement that depends on the cooperation of all the service providers."

Josh Silver, executive director of Free Press, a media policy group, says the actions of Iran and China should alert us to domestic surveillance issues in the U.S. He told me: "This technology that monitors everything that goes through the Internet is something that works, it's readily available, and there's no legislation in the United States that prevents the U.S. government from employing it...It's widely known that the major carriers, particularly AT&T and Verizon, were being asked by the NSA [National Security Agency], by the Bush administration...to deploy off-the-shelf technology made by some of these companies like Cisco." The equipment formed the backbone of the "warrantless wiretapping" program.

...

The warrantless wiretapping program was widely considered illegal. After abruptly switching his position in midcampaign, then-Sen. Barack Obama voted along with most in Congress to grant telecom companies like AT&T and Verizon retroactive immunity from prosecution. The New York Times recently reported that the NSA maintains a database called Pinwale, with millions of intercepted e-mail, including some from former President Bill Clinton....Dissenters in Iran and China persist despite repression that is enabled in part by equipment from U.S. and European companies. In the U.S., the Obama administration is following a dangerous path with Bush-era spy programs that should be suspended and prosecuted, not extended and defended.I would point everyone again to my post last week about the latest warrantless wiretapping revelations, which includes video of Senator Feingold's interrogation of AG Eric Holder, as well as Keith Olbermann's interview of New York Times reporter James Risen. Also of note, is the article I cite by the always brilliant and informative constitutional law expert, Glenn Greenwald.

Tuesday, June 23, 2009

Recently, electronics manufacturers have developed so-called Deep Packet Inspection (DPI) technology capable of tracking Internet communications in real time, monitoring the content, and deciding which messages or applications will get through the fastest.

"Messages on the Internet are broken down into small units called packets. Each packet contains a header and a data field. The header contains processing information, including the source and destination addresses. The data field contains everything else, including the identity of the source application (such as a Web browser request, a peer-to-peer transfer, or an e-mail), as well as the message itself (part of the contents of a Web page, file or e-mail). Packets are much like letters – the outside of the envelope is like the packet header, and the inside, like the data field, carries the message.

...

"DPI technology opens and reads the data field in real time, allowing network operators to identify and control, at a precise level, everyday uses of the Internet. Operators can tag packets for fast-lane or slowlane treatment – or block the packets altogether – based on what they contain or which application sent them."

...

"Although early uses of real-time DPI by ISPs have been geared toward targeted advertising and reducing congestion, manufacturers market the technology for its ability to determine and control every use of a subscriber’s Internet connection. When a network provider chooses to install DPI equipment, that provider knowingly arms itself with the capacity to monitor and monetize the Internet in ways that threaten to destroy Net Neutrality and the essential open nature of the Internet."

The Chinese government is believed to be using it to implement its "Great Firewall," "widely considered the most advanced and extensive censoring in the world" -- an "arrangement that depends on the cooperation of all the service providers."

The Iranian regime has developed, with the assistance of European telecommunications companies, one of the world's most sophisticated mechanisms for controlling and censoring the Internet, allowing it to examine the content of individual online communications on a massive scale...The monitoring capability was provided, at least in part, by a joint venture of Siemens AG, the German conglomerate, and Nokia Corp., the Finnish cellphone company, in the second half of 2008, Ben Roome, a spokesman for the joint venture, confirmed.

...

All eyes have been on the Internet amid the crisis in Iran, and government attempts to crack down on information. The infiltration of Iranian online traffic could explain why the government has allowed the Internet to continue to function -- and also why it has been running at such slow speeds in the days since the results of the presidential vote spurred unrest.

Users in the country report the Internet having slowed to less than a tenth of normal speeds. Deep packet inspection delays the transmission of online data unless it is offset by a huge increase in processing power, according to Internet experts.

...

Countries with repressive governments aren't the only ones interested in such technology. Britain has a list of blocked sites, and the German government is considering similar measures. In the U.S., the National Security Agency has such capability, which was employed as part of the Bush administration's "Terrorist Surveillance Program." A White House official wouldn't comment on if or how this is being used under the Obama administration.

...

Several years ago, research by OpenNet discovered the government using filtering equipment from a U.S. company, Secure Computing Corp. Due to the U.S. trade embargo on Iran, in place since the 1979 Islamic revolution overthrew the U.S.-backed shah, that was illegal. Secure Computing, now owned by McAfee Inc., at the time denied any knowledge of the use of its products in Iran. McAfee said due diligence before the acquisition revealed no contract or support being provided in Iran.

The dangers that DPI technology poses to consumer privacy cannot - and should not - be understated. It would give network providers unprecedented access to Internet users private web surfing habits as well as enormous power over consumers and the evolution of the net itself.

US companies Comcast and Cox have already sparked widespread concern about abuses of online privacy through their own controversial use of the technology. It was just recently that NebuAd offered an advertising service to network providers that would secretly sit at key places within the network and monitor all consumer communications passing through the network, using DPIto search within packets for URLs and search terms. The devices would then analyze some or all of that traffic to identify consumer behavior patterns.

NebuAd artificially inserted packets of data into the stream of traffic to redirect Web browsers to a NebuAd-owned domain for the purpose of placing unsolicited tracking cookies on the user’s computer. In March 2008, Internet users began detecting unsolicited cookies originating from NebuAd systems put in place by ISPs without notice.

The good news is NebuAd is virtually gone, and thanks to an organized and effective effort by public interest groups in 2008, so to is the use of DPI technology for such purposes...for the time being. But the fact is, the manufacturers of DPI equipment are still in business (thanks partly to Iran and China), and still looking for ways to put their monitoring and discrimination tools to use here in America.

And this leads me back to the much more sinister uses of this technology being utilized by Iran and China. If ISP's in America are allowed to take advantage of DPI, how different would this really be than allowing our government to do so too?

It was OUR government that orchestrated a massive, illegal warrantless wiretapping program targeting American citizens. It was also our government that then gave retroactive immunity to those telecommunication companies that ILLEGALLY shared our private information with it...a classic government-corporate win-win deal to be sure.

In light of that tidbit of trivia, why should we believe - even for a second - that such a scenario could not occur again? Our government may someday want to monitor our movements and actions on the net. But in this case, ISP's are the gatekeepers, and it is they that can and are monitoring every "movement" we make on the net thanks to DPItechnology. The government asks "can we have that please", the ISP's say "of course". Suddenly, America isn't so different from Iran and China after all...but not in a kumbaya sort of way.

"DPI technology is America's sleeping giant. It has been widely deployed by Internet service providers across the country, and could be secretly put to use without our knowledge or consent. "The American Internet experience is not the same as that of Iran or China. But we see how dangerous this technology can be when it falls into the wrong hands, or is used for the wrong purposes. Whether DPI is wielded by a government or a big corporation, the power to pursue political or economic discrimination is disturbing."

...

"We urge our lawmakers to heed the cautionary tale of Iran and China. We should not blindly permit concentrated control over the Internet. Before this technology is widely activated, we encourage Congress to open a broad inquiry to determine what is in the best interest of the American people."

In a speech just last month, President Barack Obama did give us some reason to be optimistic, stating:

"Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans. Indeed, I remain firmly committed to Net Neutrality so we can keep the Internet as it should be -- open and free." But I have a long memory, and I won't soon forget how fast and thorough the President flip flopped on telecom immunity. So, let me finish by quoting the Free Press one last time from their seminal report, Deep Packet Inspection: The End of the Internet as We Know It?:

The debate over the use of DPI has only begun. Appropriate uses of DPI technologies do exist. But the applications we have seen thus far are not encouraging, and the burden of proof for their benefit rests squarely with the network operator.It appears I have yet another important issue to cover here.

Monday, June 22, 2009

I'm going to defer on this issue today to Jeffrey Chester, executive director of the Center for Digital Democracy (CDD). CDD has been at the forefront of exposing all kinds of invasive online and mobile marketing practices as well as offering concrete regulatory measures that would more adequately protect consumer privacy. A few days back Chester testified before Congress urging it to pass legislation that would ensure meaningful consumer protection online, especially for privacy.

This from CDD's press release on his testimony: As more consumers increasingly rely on the Internet to obtain such sensitive services as financial products or health information...it is especially critical that the public be assured they will be treated fairly when engaged in online commerce.

Chester pointed to the failure of the regulatory system that should have protected Americans from irresponsible business practices that led to the current financial crisis. “As with our financial system, privacy and consumer protection regulators have failed to keep abreast of developments in the area they are supposed to oversee,” he explained. “In order to ensure adequate trust in online marketing—an important and growing sector of our economy—Congress must enact sensible policies to protect consumers.”

“Whether using a search engine, watching an online video, creating content on a social network, receiving an email, or playing an interactive video game, we are being digitally shadowed online,” Chester told a joint hearing by the House Subcommittee on Commerce, Trade, and Consumer Protection, and the Subcommittee on Communications, Technology, and the Internet. “Our travels through the digital media are being monitored, and digital dossiers on us are being created—and even bought and sold.” Singling out behavioral and “predictive” targeting for their violations of user privacy, Chester noted that the “consumer profiling and targeted advertising take place largely without our knowledge or consent, and affects such sensitive areas as financial transactions and health-related inquiries. Children and youth, among the most active users of the Internet and mobile devices, are especially at risk in this new media-marketing ecosystem.”

Chester’s CDD, in collaboration with the U.S. Public Interest Research Group (USPIRG), was instrumental in bringing the online privacy issue to the forefront in a series of petitions filed with the Federal Trade Commission in 2006 and 2007. Earlier this year, the two groups called on the agency to “conduct a special investigation into mobile marketing privacy threats and inappropriate practices targeting children, adolescents, and multicultural consumers.”

...Chester called on Congress to enact meaningful regulations to protect consumer privacy in the online and mobile arenas, effectively bringing the FTC’s Fair Information Practice Principles fully into the digital age.

“Americans shouldn’t have to trade away their privacy and accept online profiling and tracking as the price they must pay in order to access the Internet and other digital media,” Chester declared, adding that far from being an impediment to continued growth in the online sector, meaningful privacy safeguards will actually stimulate the digital economy.

“The uncertainty over the loss of privacy and other consumer harms will continue to undermine confidence in the online advertising business,” he explained. “That’s why the online ad industry will actually greatly benefit from privacy regulation. Given a new regulatory regime protecting privacy, industry leaders and entrepreneurs will develop new forms of marketing services where data collection and profiling are done in an above-board, consumer-friendly fashion.”

Yahoo argued that a consumer's privacy should be respected and that online advertisers should be transparent about practices in order to build trust. The company recently announced its new data retention policy, in which Yahoo will retain the vast majority of its Web log data in identifiable form for only 90 days....The Direct Marketing Association, for its part, is working with the American Association of Advertising Agencies, the Association of National Advertisers, the Interactive Advertising Bureau and the Better Business Bureau on self-regulation guidelines.“We hope to be out with [those guidelines] soon. We're moving along, responding to the Federal Trade Commission," said Jerry Cerasale, SVP of government affairs for the DMA and a hearing attendee. "This is an area where we think self-regulation can work. With technology changing rapidly all the time, we think self-regulation gives us the ability to change fairly quickly and make adjustments.”...

Interestingly, Google is reportedly in favor of federal legislation, probably due to the challenges that legislation on a local level would create. Christine Chen, a Google spokeswoman, expects legislation later this year. “Congress is certainly interested in introducing some sort of privacy legislation later this year,” Chen said. “It is really unclear to us what kind it will be. Whether it will be a broad based effort [covering consumer privacy] or whether it will be specifically related to behavioral targeting, we honestly don't know what they are going to do.” Chen said behavioral targeting is still an area of growth and opportunity. In the absence of legislation, Google introduced its own behavioral product in beta in March. Called Ad Preferences Manager, it enables the user to pick which interest-based ads they want to receive or opt out of them altogether. ...When this issue first surfaced in November 2007, privacy groups petitioned the FTC to take action. Now, Congress is involved. Last April, House members first met to discuss the possibility of introducing federal privacy legislation. One of the ideas that has been discussed is an opt-in strategy in which consumers could elect to allow their behavior to be tracked. ...Despite the continued controversy around behavioral targeting, vendors don't appear to be shying away from it. At the recent Internet Retailer Conference and Exhibition in Boston, a couple of exhibitors were showcasing new solutions with a behavioral targeting tie-in. ...Home fitness online retailer Smooth Fitness saw a nearly 20% increase in average order value using behavioral targeting, according to Amadesa. The behavioral targeting Amadesa is engaged in is based around one specific Web site, as opposed to what happens with most advertising networks, which produce cookies that follow a user from site to site.

Wednesday, June 17, 2009

The last two days worth of revelations to emerge in regards to the ILLEGAL (formerly anyway...now its law), warrantless wiretapping program has me feeling like I just got injected with a high potency dose of despair (don't ask me why I used that analogy...I'm distraught). If there's a synonym for "anti-hope", that would describe my frame of mind well right now. Betrayed, yes? Deceived, definitely. Disenchanted, absolutely. Disgusted, confirmed.

I don't even know where to begin today. Thankfully I've got Glenn Greenwald, James Risen, Russ Feingold, and Keith Olbermann to do most of the heavy lifting for me today, because I'm not sure I can properly communicate the outrage and righteous indignation I feel right now.

Just quickly, this all began with The New York Times article in December, 2005, that exposed an ongoing, four year program of the Bush administration that illegally spied on Americans' communications without warrants. Since that time there have been numerous additional revelations regarding this mind numbing, illegal spying program orchestrated by a rogue government run by a mishmash of corporatists, neo-conservatives, and religious fundamentalists (among others)...all with one undeniable shared value: disdain for the Constitution.

Yesterday's New York Times article by James Risen and Eric Lichtblau adds to this increasingly tragic narrative almost exactly how one would have predicted: "recent intercepts of the private telephone calls and e-mail messages of Americans are broader than previously acknowledged". Wonderful.

Political Grandstanding in Defense of the Surveillance State!

I've followed this issue like a hawk for two years on this blog, and I'm beginning to see a pattern, one that has expertly led us to the precipice we now stand.

It goes something like this: a disturbing surveillance state revelation is leaked (our government is listening in on our calls and emails!), this then leads to a wave of phony outrage and false promises made by a host of pandering Democrats (some are for real, like Feingold and Kucinich), then the government promises action and delivers either nothing or something that makes legal what was just illegal (nice), soon we then have another leak and new revelations that the crimes were worse than we even thought, and then comes more pandering, grandstanding, fake outrage, and promises of "tough questions", a "thorough review", and "strict oversight". Then rinse, and repeat.

So yes, the Bush Administration's illegal warrantless wiretapping program is still aliveand well, with the additional protection provided by giving retroactive immunity to the telecom companies for sharing our private information with the government, which serves the dual purpose of protecting the politicians from having the telecom companies share what they know about THEIR crimes!

But it gets better, now the spying program is legal, FISA has been weakened, and the same tactics utilized by Bush and Co. (of course, we don't know what they might have used it for compared to Obama) have been adopted by former critic, and current President, Barack Obama.

But, before I get to these latest revelations reported in the New York Times, as well as Feingold's grilling of Attorney General Eric "warrantless wiretapping is not illegal anymore" Holder, Glenn Greenwald's masterful analysis, AND Olbermann's interview of James Risen on Countdown, let's first take a stroll down "horrible nightmarish memory lane", and review some of my past posts on this issue as it developed.

The Evolving Soap Opera: Some of my Past Posts

As you also may remember, it was "candidate Obama" (apparently this was just a look alike) that very specifically and articulately promised to herald in a new era of government transparency and accountability, end the Bush DOJ's radical theories of executive power, and reform the PATRIOT Act.

Instead, we have seen Obama's own DOJ now argue that under the PATRIOT Act the government shall be entirely unaccountable for surveilling Americans in violation of its own laws. Worse, over the past few months information continues to trickle out (similar to the issue of torture and the Administration's protection of those crimes) that demonstrates these spying abuses were "significant and systemic" and involve improper interception of "significant amounts" of the emails and telephone calls of Americans, including purely domestic communications; and that, under Bush (prior to the new FISA law), the NSA even eavesdropped - without a warrant - on Congresswoman Jane Harman. But it gets even worse.

We have also come to find out that the government's wiretapping program actually expanded in scope AFTER Congress enacted a new, and supposedly improved, FISA law last July - actually claiming it would better regulate the government's wiretapping powers. Opponents of this bill warned that exactly the kinds of abuses that we now know followed the bills signing would occur.

Now, the Obama Administration and its predecessor, have been using the privilege as a way to compel dismissal of entire lawsuits in advance based on the claim that any judicial adjudication of even the most illegal secret government programs would harm national security. No better example of this re-interpretation is the way it has been used to defend Bush and company's warrantless wiretapping program.

...

To recap: according to the Bush and Obama Administrations, since citizens cannot show their messages were intercepted, they have no right to sue, because all such information is secret. And, disclosure of whether AT&T took part in the program would tip off our enemies, so we can't have that either. How convenient for the Government and their ongoing efforts to cover up gross Constitutional abuses! Government officials are not above the law. If we can continue to fill our jails with non-violent drug users and addicts certainly its not too much to ask that those responsible for breaking the law and subverting the Constitution must also be accountable to the people.

The New York Times reports:The National Security Agency is facing renewed scrutiny over the extent of its domestic surveillance program, with critics in Congress saying its recent intercepts of the private telephone calls and e-mail messages of Americans are broader than previously acknowledged, current and former officials said.

...Since April, when it was disclosed that the intercepts of some private communications of Americans went beyond legal limits in late 2008 and early 2009, several Congressional committees have been investigating. Those inquiries have led to concerns in Congress about the agency’s ability to collect and read domestic e-mail messages of Americans on a widespread basis, officials said. Supporting that conclusion is the account of a former N.S.A. analyst who, in a series of interviews, described being trained in 2005 for a program in which the agency routinely examined large volumes of Americans’ e-mail messages without court warrants. Two intelligence officials confirmed that the program was still in operation.

Both the former analyst’s account and the rising concern among some members of Congress about the N.S.A.’s recent operation are raising fresh questions about the spy agency. Representative Rush Holt, Democrat of New Jersey and chairman of the House Select Intelligence Oversight Panel, has been investigating the incidents and said he had become increasingly troubled by the agency’s handling of domestic communications. In an interview, Mr. Holt disputed assertions by Justice Department and national security officials that the overcollection was inadvertent....

The inquiries and analyst’s account underscore how e-mail messages, more so than telephone calls, have proved to be a particularly vexing problem for the agency because of technological difficulties in distinguishing between e-mail messages by foreigners and by Americans. A new law enacted by Congress last year gave the N.S.A. greater legal leeway to collect the private communications of Americans so long as it was done only as the incidental byproduct of investigating individuals “reasonably believed” to be overseas....The N.S.A. is believed to have gone beyond legal boundaries designed to protect Americans in about 8 to 10 separate court orders issued by the Foreign Intelligence Surveillance Court, according to three intelligence officials who spoke anonymously because disclosing such information is illegal. Because each court order could single out hundreds or even thousands of phone numbers or e-mail addresses, the number of individual communications that were improperly collected could number in the millions, officials said. (It is not clear what portion of total court orders or communications that would represent.)

...

But even before that, the agency appears to have tolerated significant collection and examination of domestic e-mail messages without warrants, according to the former analyst, who spoke only on condition of anonymity.

He said he and other analysts were trained to use a secret database, code-named Pinwale, in 2005 that archived foreign and domestic e-mail messages. He said Pinwale allowed N.S.A. analysts to read large volumes of e-mail messages to and from Americans as long as they fell within certain limits — no more than 30 percent of any database search, he recalled being told — and Americans were not explicitly singled out in the searches.

Congress never does anything about these revelations other than enact new laws that increase the government's spying powers still further and gut the few remaining oversight mechanisms that exist (while immunizing the lawbreakers). All of that compels the conclusion that Congress -- regardless of which party controls it -- is either indifferent to or in favor of this unchecked illegal government spying. What other conclusion could a rational person possibly reach?...A similar pattern occurs each time Congress enacts new laws to increase even further the Government's surveillance powers -- the Patriot Act of 2001, its full-scale renewal in 2006, the Protect America Act of 2007, the FISA Amendments Act of 2008. Each time, warnings are issued that the new law will not only permit, but will ensure, massive abuses and unchecked domestic spying. Those issuing those warnings are dismissed as fringe civil libertarian extremists and hysterics. The Serious mainstream of both political parties and the establishment media class unite to insist on the need for greater spying powers. Shortly after passage, new spying abuses are revealed, and proponents of the increased spying powers strut around expressing how shocked and troubled they are by these revelations. As Kagrosuccinctly put it yesterday: "We've had 2 presidential & 3 Congressional elections since the NYT found out we were being illegally spied on. And they're still finding it."

When Lichtblau and Rosen reported similar eavesdropping abuses in April of this year, I compiled the statements issued by opponents of the FISA Amendment Act of 2008warning that exactly those abuses would ensue, and also compiled the smug, dismissive assurances by proponents of that bill that there were more than adequate safeguards in place to "protect the civil liberties of Americans." The abuses revealed in April stemmed directly from that 2008 expansion of government eavesdropping powers under the Democratic Congress, and were 100% predictable -- and predicted.

...

If that isn't the picture of a rampant, lawless Surveillance State, what is? How, at this point, are they even able to read from this same absurd script with a straight face? And what else could the key members of Congress -- other than a Russ Feingold here and a Rush Holt there -- possibly do to make clear that they not only acquiesce to all of this, but actively support it?Read the rest of Greenwald's article here.

Keith Olbermann Interviews NY Times James Risen

Feingold Schools Attorney General Eric Holder

What can you say about Feingold? The ONE SENATOR to have voted against the Patriot Act is still fighting the good fight, winning elections, and standing up to the surveillance state.

Watchhimgrill Attorney General Eric Holder yesterday about the warrantless wiretapping program and whether it is, or isn't, ILLEGAL: Then watch Holder squirm.

Shocker of the day: "Holder not only refuses to say that Bush's NSA spying program was "illegal," but does the opposite: invoking standard, still-not-withdrawn Bush DOJ executive power theories, Holder suggests that -- though the spying program was "in contravention" of FISA -- it was not "illegal."

As writer Marcy Wheeler put it:

"It's bad enough that Holder's trying to weasel out of statements he made a year ago. But I just saw the Attorney General all but suggest that contravening a lawdoes not constitute breaking it"

In a letter dated June 15, 2009, Senator Russ Feingold urged the White House to stand up for the rule of law, saying, in part:

I am writing to reiterate my request for you to formally and promptly renounce the assertions of executive authority made by the Bush Administration with regard to warrantless wiretapping. As a United States Senator, you stated clearly and correctly that the warrantless wiretapping program was illegal. Your Attorney General expressed the same view, both as a private citizen and at his confirmation hearing.

It is my hope that you will formally confirm this position as president, which is why I sent you a letter on April 29, 2009, urging your administration to withdraw the unclassified and highly flawed January 19, 2006, Department of Justice Legal Authorities Supporting the Activities of the National Security Agency Described by the President ("NSA Legal Authorities White Paper "), as well as to withdraw and declassify any other memoranda providing legal justifications for the program.

Particularly in light of two recent events, I am concerned that failure to take these steps may be construed by those who work for you as an indication that these justifications were and remain valid.

Let me finish with Tim Jones, EFF's Activism and Technology Manager, who pointed out another important evolution of the Obama Administrations position on the power of the Executive Branch:

The Obama Administration goes two steps further than Bush did, and claims that the US PATRIOT Act also renders the U.S. immune from suit under the two remaining key federal surveillance laws: the Wiretap Act and the Stored Communications Act. Essentially, the Obama Adminstration has claimed that the government cannot be held accountable for illegal surveillance under any federal statutes.

The Obama administration's pro-secrecy -- and implicitly pro-warrantless-wiretapping -- stance has disappointed people who remember his campaign-trail criticisms of the last president's "wiretaps without warrants." After eight years of a growing security state, Obama was widely hoped to be the champion of badly eroded civil liberties.

Monday, June 15, 2009

The Obama Administration has now finally taken a concrete stand (against) on the beleaguered, privacy invasive program known as the REAL ID Act. As I've been repeating on this blog over and over, little was known about how Obama was going to proceed on this issue, which was made all the more mysterious after he chose Gov. Janet Napolitano as Secretary of Homeland Security.

The reason being of course that Napolitano had a VERY spotty record on the issue of privacy while Governor of Arizona, and while she did oppose REAL ID, she only did so because of her belief that it was too expensive and burdensome for the states to implement. So the big question in my mind has been whether the Administration would continue the REAL ID program, and if so, in what form, and if not, for what reasons?

The good news is - as reported in the Washington Post- that the Administration doesn't appear to be interested in continuing the program. On the other hand, it doesn't seem willing to simply abolish it altogether either (as privacy advocates would like to see).

Before I get to the article, let me give you a quick refresher course on the Act and the state revolt that it inspired. The Real ID Act was approved by Congress - underhandedly as a rider I might add - and then signed into law by President Bush in 2005 as part of the government's effort to combat terrorism.

At the time, few lawmakers even knew what they were voting for, or necessarily supported the concept to begin with. Since that time the law has evoked widespread criticism from privacy advocates and civil rights groups, which say it would create a de facto national identity card system that would be hard to manage and even harder to secure. The law requires states to issue new licenses which are supposed to screen potential terrorists and identify illegal immigrants.

This new federal identity document would be required of every American in order to fly on commercial airlines, enter government buildings, open a bank account, and more.

The common reaction from citizens and states across the country has centered on the threat it would pose to individual privacy, the high costs states would incur to implement it, the increased danger of identity theft, and the possible loss of freedoms due to expanded government power. For everything that's wrong with the REAL ID Act, check out the REAL NIGHTMARE site.

Homeland Security Secretary Janet Napolitano wants to repeal and replace the controversial, $4 billion domestic security initiative known as Real ID, which calls for placing more secure licenses in the hands of 245 million Americans by 2017. The new proposal, called Pass ID, would be cheaper, less rigorous and partly funded by federal grants, according to draft legislation that Napolitano's Senate allies plan to introduce as early as tomorrow.

The new plan keeps elements of Real ID, such as requiring a digital photograph, signature and machine-readable features such as a bar code. States also will still need to verify applicants' identities and legal status by checking federal immigration, Social Security and State Department databases.

But it eliminates demands for new databases -- linked through a national data hub -- that would allow all states to store and cross-check such information, and a requirement that motor vehicle departments verify birth certificates with originating agencies, a bid to fight identity theft. Instead, it adds stronger privacy controls and limits such development to a pilot program in Mississippi. DHS would have nine months to write new regulations, and states would have five years to reissue all licenses, with completion expected in 2016.

...

Pass ID also penalizes states that have spent millions to digitize their records, rewards laggards with federal funds and makes new requirements unenforceable, foes said. For example, the new bill kills provisions that would have required the new IDs to board airplanes and that IDs that did not comply with the requirements feature a different color or design.

Meanwhile, privacy groups also objected, saying Real ID should just be killed. "We don't want to end up with National ID Lite," said Chris Calabrese, counsel to the technology and liberty program at the American Civil Liberties Union.

Jim Harper, director of information policy studies at the libertarian Cato Institute, said the plan is "a lot softer" but will still leave more Americans' personal data subject to theft and misuse. Sens. Daniel K. Akaka (D-Hawaii) and George V. Voinovich (R-Ohio), the bill's sponsors, are seeking support from Sens. Joseph I. Lieberman (I-Conn.) and Susan Collins (Maine), the chairman and ranking Republican, respectively, on the Senate homeland security committee, and other centrist lawmakers. So far, no other Republicans have signed on.

So the "centrist theme" of the Obama Administration continues. In this case, while I'm relieved that the REAL ID Act - as once conceived at least - is finally dead, I'm once again disappointed in the Administration's reluctance to take a stronger stance in defense of the principle of privacy as well as its rather weak opposition (or worse...outright support of) to a host of Bush Administration policies that were privacy invasive at the least, and blatantly un-Constitutional (wiretapping being another example) at the worst.

I will have more to say on this "Pass ID" concept floated by the Administration once I get more information and consult some of my "go to" experts. Personally, I think the most welcomed aspect of this announcement is that the REAL ID proposal to create one super database - linked through a national data hub - has been scrapped.

Friday, June 12, 2009

Time is short today, but I felt the need to get this article up while I had a chance because its rare that companies with the size and scope of AT&T come out and admit just how much they know about you and why. Apparently, AT&T's new privacy policy, admits quite a lot in this regard. If interested, read it yourself and leave your reaction in the comments.

As you might guess, such transparency can also lead to concern, and this certainly is the case with some of what you'll read in this article. On that note, check out this piece by the New York Times Saul Hansellon the company's new privacy policy and just what it includes (and admits). If nothing else, its an interesting expose of just some of the ways data and details about each and every one of us make their way around the cyberworld...from company to company, for a myriad of different purposes, all in the name of profit:

These days AT&T knows a great deal about its customers: who they call, where they travel, what they watch on TV, what sites they visit on the Web...AT&T has decided that appearing to take the high ground on privacy will help it in Washington in its battle with Google, and perhaps will improve its image among those who are angry about its cooperation with the government’s warrantless wiretapping program....It makes clear that AT&T knows where its cellphone customers are and uses that information to show ads for local merchants when they check yellow pages and use other services.The policy is certainly explicit in addressing many practices that other companies gloss over. For example, it says that AT&T buys information about customers from credit bureaus and mailing list aggregators. And it explains how it tracks users of its Web sites and then can use that data to tailor ads to them on other sites.

...

AT&T’s privacy policy, perhaps more than for other companies, has a political component. Its previous policy, released six months after the warrantless wiretapping program was first published, says in the third paragraph:

We also have an obligation to assist law enforcement and other government agencies responsible for protecting the public welfare, whether it be an individual or the security interests of the entire nation.

Taken as a whole, the new document shows that AT&T has access to a vast amount of information about people, and it claims the right for all parts of AT&T to do almost anything with that data, including trying to sell customers other services, set prices and sell advertising to other companies.

AT&T set a few limits, most significantly that it won’t sell personal information about customers to third parties, except, of course, that it publishes the name, address and phone numbers of all its local telephone customers who don’t pay for unlisted numbers.

The site is up front about the fact that it will give information about you in response to government subpoenas, government orders and lawful discovery requests in civil suits. AT&T does not say it will notify you in advance that it is going to turn over information in response to a government order or lawsuit, except in the case of TV viewing information where such notice is required by law. (The company offers television programming through its U-verse Internet service.)

The policy offers only one significant choice: Customers can send an e-mail to request that AT&T not market to them by e-mail, telephone or postal mail. It also offers a procedure for customers to request the billing information AT&T keeps about them, but it doesn’t offer a window onto the Web tracking, television usage monitoring and location following that the company does.

...

The company says it can keep all the information it collects about customers as long as they do business with AT&T. Many privacy advocates argue that a policy to have records regularly destroyed can be an important way to prevent their misuse.

And the company gives itself wide authority to do most anything with data that it defines as anonymous or aggregate. That means it well create a service that would let advertisers put ads on the cellphones of “American Idol” fans in Pittsburgh who call florists more than once a week. But interestingly, AT&T has created a rather broad definition of what is personal information, rather than anonymous information. This is important because a lot of data that some companies assert is not personally identifiable, like Internet Protocol addresses, sometimes can be used to track down individuals. AT&T says it will treat as personal “information that directly identifies or reasonably can be used to identify an individual Customer or User.” That definition forces the company to protect anything that can reasonably be used to track someone down.So there you have it. No new or ground breaking rights are being offered to the consumer by the company, nor are they treating our private information with the kind of respect and care that I think any privacy advocate would desire. But, they've really come clean on a lot in regards to just how much they know about you, what they will use that information for (hint: to make more money), why it will keep the data for as long as you remain a customer, and that it can be forced to give all that information to the government without giving you the chance to object.

So with all that said, I'm not sure how to react to this...I guess its a kind of "I'm glad they came clean, its as bad as I thought, and now what?" one...

Wednesday, June 10, 2009

An article I wrote was just published on the California Progress Reportthat analyzes the pro's and con's of the recent brief submitted to the Supreme Court by the Obama Administration. The brief, thankfully, recommends that the Court not review the banking industry’s appeal of California's landmark financial privacy law - at least until further experience in California reveals financial burdens for the banks or legal conflict.

From our perspective, the Administration’s recommendation to the Court was based primarily on two key arguments. One, that the banking industry (to date mind you) had effectively adapted to the rules set by SB 1, and two, that the California law did not represent the dire threat with the kind of “nationwide consequences” that the banks claimed (i.e. that other states would adapt similar “unfair” protections).

In other words, according to the Administration, its “defense” of SB 1 was simply a practical matter: ‘Since California's law did not cause harm to banks and was limited only to California, the Supreme Court should not spend any time reviewing the case.’

For those that don't know, in 2003, the passage and signing of SB 1 (Speier) gave consumers the right to stop all sharing of personal information within a family of affiliated companies, as long as it is not related to credit worthiness. Since that time the banks have been working non-stop to overturn the law.

Their work paid off, at least to the extent that the Supreme Court is currently considering taking up the banks’ appeal of a 2008 decision by the 9th Circuit Court that upheld almost all provisions of the Act (SB 1). On March 9th, the Supreme Court invited the Obama Administration to voice its opinion.While the Administration's position, and recommendation to the Court, is an improvement over that taken by President Bush - who was actively supporting the banks appeal, arguing that California should not be permitted to regulate banks' privacy practices - the brief doesn't necessarily translate into a victory for privacy advocates.

There is however, a more positive take than mine (and again, I do believe SB 1 is safer than it was absent the Administration's recommendation...I just wish it would have gone further) on the Administration's brief, and it comes from Chris Larsen, CEO, Prosper Marketplace and co-founder of Californians for Privacy Now, the organization that spearheaded a 2003 ballot initiative campaign that turned fierce banking industry opposition into acquiescence with SB 1.

While we understand the concern that strong Federal preemption could weaken some State consumer protections, we actually see the Obama view as very positive. We founded “Californians For Privacy Now” to address a lack of Federal will to act on financial privacy rights following the 9/11 attacks. Just before the attacks, a Federal financial privacy law looked very promising with several Senators and Representatives interested in backing Federal legislation. In fact, on the morning of September 11th, 2001 we were just entering a meeting with nine Senators to discuss our views on privacy when the horrible news hit. The meeting was cancelled and Federal Privacy legislation went into a deep freeze.

The only option left was to seek a bill or ballot initiative in California that would set a strong example and convince the banks that they couldn’t use 9/11 to dodge consumer privacy rights. Fast forward eight years and that is basically exactly what we have - a strong California bill that the Administration believes is workable and an apparent strategy to work on a national version to ensure all Americans are equally protected. It seems likely that the administration is also signaling to the banks that if they support a national standard, there is a way out of their worst nightmare, which is facing 50 different versions of data privacy rules. Preemption is a problem when good state ideas are preempted by weak or non-existent Federal rules, as we’ve had up to now. The hope from the Obama administration is that you can get both strong consumer protection and an efficient unified national market.It goes without saying that I would LOVE to see a uniform, national standard on the issue of financial privacy that mimics California's SB 1 (or something close to it). I have put some feelers out to some of my legal expert friends on how they interpreted the Administration's brief and what it might mean in the future - both in terms of SB 1 and that of the nation at large. In some ways at this point, its anybodies guess.

PRIVACY REVOLT! tackles the issues at the intersection of civil liberties and technology, with news and commentary on government and corporate surveillance, identity theft, data brokers, tracking devices, and the security of consumers' financial, medical, and phone records.

Privacy Bill List

We provide tracking and analysis of the most important privacy bills moving through the California state legislature.